TOTP / 2FA Code Generator
Generate a TOTP/2FA code from a Base32 secret instantly — 100% in your browser, your secret never leaves your device. QR setup + code verify. Free, no signup.
Advanced options
What Is a TOTP / 2FA Code Generator?
A TOTP generator turns a shared secret into the rotating one-time code that powers two-factor authentication. TOTP — Time-based One-Time Password, defined in RFC 6238 — takes a Base32 secret and the current time, splits time into fixed steps (30 seconds by default), and runs an HMAC over the step counter to derive a short numeric code. Because both your authenticator app and the server hold the same secret and read the same clock, they compute the identical code without ever exchanging it over the network. That is the whole point of 2FA: even if your password leaks, an attacker still needs the code that only your secret can produce right now.
"The TOTP algorithm is a time-based variant of the HOTP algorithm... TOTP = HOTP(K, T), where T is an integer representing the number of time steps between the initial counter time T0 and the current Unix time." — RFC 6238, Section 4
This tool does three jobs on one page. It generates a live code from any Base32 secret with a countdown and next-code preview; it sets up a brand-new secret, building the otpauth:// URI and QR code you scan into an authenticator app; and it verifies a code against a secret with a ±1 time-step tolerance, matching how real servers accept a code that just rotated. All of it runs through the browser's native Web Crypto API with zero dependencies and zero network calls.
Developers reach for a TOTP generator constantly: to reproduce the exact code a user's app shows while debugging a 2FA login, to mint a secret and QR for a new account, to confirm that a verification window on the server matches what users experience, or to build deterministic fixtures for end-to-end tests of a two-factor flow. Because the secret is a long-lived key — anyone who has it can generate every future code — it must be protected like a password. Pair this tool with our random password generator for the strong passwords and recovery codes that sit alongside 2FA, and with the QR code generator when you need a standalone enrollment image. For signing the JSON Web Tokens that often ride on top of an authenticated session, see the JWT encoder.
// Generate a TOTP code in the browser with the Web Crypto API
// (SHA-1, 6 digits, 30s period — RFC 6238 defaults)
async function generateTotp(base32Secret, time = Date.now()) {
// Decode the Base32 secret to raw bytes (A-Z, 2-7)
const alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
let bits = '';
for (const c of base32Secret.replace(/=+$/, '').toUpperCase())
bits += alpha.indexOf(c).toString(2).padStart(5, '0');
const bytes = new Uint8Array(
bits.match(/.{8}/g).map((b) => parseInt(b, 2)));
// Counter = number of 30s steps since the Unix epoch (8-byte big-endian)
const counter = Math.floor(time / 1000 / 30);
const msg = new Uint8Array(8);
let c = counter;
for (let i = 7; i >= 0; i--) { msg[i] = c & 0xff; c = Math.floor(c / 256); }
const key = await crypto.subtle.importKey(
'raw', bytes, { name: 'HMAC', hash: 'SHA-1' }, false, ['sign']);
const hmac = new Uint8Array(await crypto.subtle.sign('HMAC', key, msg));
// Dynamic truncation (RFC 4226) -> 6-digit code
const off = hmac[hmac.length - 1] & 0x0f;
const bin = ((hmac[off] & 0x7f) << 24) | (hmac[off + 1] << 16) |
(hmac[off + 2] << 8) | hmac[off + 3];
return (bin % 1_000_000).toString().padStart(6, '0');
}
const code = await generateTotp('JBSWY3DPEHPK3PXP');
// -> a 6-digit code that rotates every 30 seconds Key Features
Live Code With Countdown
Paste a Base32 secret and the current TOTP code appears instantly with a 30-second countdown ring and a preview of the next code — no Generate button, no waiting.
Secret & QR Setup
Generate a random Base32 secret, then get the otpauth:// URI and a QR code to scan straight into Google Authenticator, Authy, or 1Password.
Built-In Code Verifier
Check a code against a secret with the same ±1 time-step tolerance real servers use, so a code that just rotated still validates.
Configurable Algorithm & Digits
Switch between SHA-1, SHA-256, and SHA-512, choose 6 or 8 digits, and set a 30s or 60s period to match any provider's requirements.
Secret Never Leaves Your Browser
Every code is computed locally via the native Web Crypto API. Nothing is uploaded, logged, or stored — verifiably so, even offline.
Zero Dependencies
Built only on the browser's Web Crypto API — no third-party libraries, no telemetry, and no network calls of any kind.
TOTP Generator Examples
Standard 6-Digit TOTP (SHA-1, 30s)
secret: JBSWY3DPEHPK3PXP algorithm: SHA-1 digits: 6 period: 30s
Code: 282760 · expires in 30s
The canonical RFC 6238 test secret with the default settings every mainstream app uses — SHA-1, 6 digits, a 30-second period. The code is time-based, so the exact value depends on the current time; the tool shows a live countdown and the next code.
8-Digit Enterprise TOTP (SHA-256)
secret: JBSWY3DPEHPK3PXP algorithm: SHA-256 digits: 8 period: 30s
Code: 31094217 · expires in 30s
Some enterprise and high-security systems issue 8-digit codes signed with SHA-256 instead of the SHA-1 default. Match the algorithm, digit count, and period exactly to what your server expects, or the generated code will not validate.
otpauth:// Setup URI for Authenticator Apps
issuer: Acme account: alice@example.com secret: JBSWY3DPEHPK3PXP
otpauth://totp/Acme:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Acme&algorithm=SHA1&digits=6&period=30
The tool builds a standard otpauth:// URI and renders it as a QR code. Scan it with Google Authenticator, Authy, or 1Password — or paste the URI directly — to enroll the secret on your device.
How to Use the TOTP Generator
- 1
Paste a Base32 Secret
On the Generate tab, paste your Base32 secret (for example JBSWY3DPEHPK3PXP). The current TOTP code appears instantly with a 30-second countdown — no Generate button.
- 2
Adjust Advanced Options (optional)
Open advanced options to change the algorithm (SHA-1/256/512), digit count (6 or 8), or period (30 or 60s) to match what your provider issued.
- 3
Set Up or Verify
Use the Set up tab to generate a secret and QR for an authenticator app, or the Verify tab to check a code against a secret with ±1 time-step tolerance.
Common Mistakes
Mismatched Algorithm or Digits
A secret issued for SHA-256 or 8 digits produces a completely different code under the SHA-1 / 6-digit defaults. Match the provider's parameters exactly.
secret + SHA-1/6 digits // but server expects SHA-256/8
algorithm: SHA-256, digits: 8 // match the otpauth:// URI
Clock Drift
If the device clock is off by more than one time step, the code will not validate. Sync the system clock before comparing codes.
system clock 90s fast // code is two steps ahead
enable NTP / automatic time // code aligns with server
Invalid Base32 Secret
Base32 uses only A–Z and 2–7. Spaces from a printed key are fine, but a 0, 1, or 8 is not valid Base32 and will fail to decode.
secret: "JBSW 0NE8" // contains 0 and 8
secret: "JBSWY3DPEHPK3PXP" // valid Base32
Common Use Cases
- Debug a 2FA Login Flow
- Reproduce the exact code a user's authenticator app shows, so you can trace why a two-factor sign-in is being rejected.
- Enroll a New Account
- Generate a fresh Base32 secret and QR code, then scan it into Google Authenticator, Authy, or 1Password to set up 2FA.
- Validate Your Server's Window
- Verify codes against a secret to confirm your backend accepts a code that just rotated and rejects an expired one.
- Build End-to-End Test Fixtures
- Compute deterministic TOTP codes from a known secret to drive automated tests of a two-factor authentication flow.
- Match Enterprise Settings
- Reproduce 8-digit or SHA-256 codes when a provider departs from the SHA-1 / 6-digit defaults, to debug a mismatch.
- Recover Access Quickly
- Generate the current code from a backed-up secret when your phone is unavailable — using a disposable copy of the secret.
Technical Details
- RFC 6238 / RFC 4226 Compliant
- Implements TOTP per RFC 6238 on top of the HOTP dynamic-truncation algorithm from RFC 4226, with selectable SHA-1, SHA-256, and SHA-512.
- Native Web Crypto HMAC
- Codes are derived via crypto.subtle HMAC over the big-endian time-step counter. Base32 decoding and truncation run entirely in-browser.
- Standard otpauth:// URIs, Zero Dependencies
- Setup URIs follow the Key Uri Format (otpauth://totp) with issuer, algorithm, digits, and period parameters. No external libraries, no network calls.
Best Practices
- Treat the Secret Like a Password
- Anyone with the Base32 secret can generate every future code. Store it in a secrets manager, never in source control, and prefer test secrets here.
- Keep Clocks in Sync
- TOTP depends on accurate time. Enable network time sync on servers and devices so codes line up within the verification window.
- Stick to the Defaults Unless Required
- SHA-1, 6 digits, and a 30-second period maximize app compatibility. Only switch to 8 digits or SHA-256/512 when your provider mandates it.
TOTP / 2FA Generator FAQ
Is an online TOTP / 2FA generator safe to use?
otpauth:// URI, and the generated code are all computed locally with the native Web Crypto API. There are no network requests, no logging, no storage, and no analytics tied to your input — you can verify this by disconnecting from the internet and watching the tool keep working. That is the opposite of a sketchy generator that POSTs your secret to a server, where the operator could mint your codes forever. A TOTP secret is a long-lived shared key, so the safest habit is still to prefer disposable or test secrets when you just need to experiment. What is TOTP and what is a Base32 secret?
JBSWY3DPEHPK3PXP is the well-known RFC test secret. Why is the generated code different from my phone's authenticator app?
What's the difference between TOTP and HOTP?
Can I use 8-digit codes or SHA-256 / SHA-512?
otpauth:// URI the tool generates records those parameters so your app enrolls the secret correctly. How do I add this secret to Google Authenticator, Authy, or 1Password?
otpauth:// URI. In Google Authenticator or Authy, tap the add button and choose Scan a QR code to point your camera at the on-screen QR, or choose Enter a setup key and paste the Base32 secret with the matching account name and algorithm. In 1Password, edit a login item, add a One-Time Password field, and paste the otpauth:// URI directly. Need a standalone QR image for documentation? Use our QR code generator, and for the random secrets and recovery codes around it, the random password generator. Related Tools
View all tools →Bcrypt Hash Generator & Verifier
Security Tools
Generate and verify bcrypt password hashes online — adjustable cost, $2b$/$2a$/$2y$ prefixes. 100% in your browser; your password is never uploaded.
JWT Decoder
Security Tools
Decode JWT tokens online with our free JWT decoder. Instantly inspect header, payload, signature, expiration, algorithm, and claims. 100% browser-based — your token never leaves your device. No signup, no tracking.
JWT Encoder & Generator
Security Tools
Free online JWT generator & encoder. Build the header and payload, sign with HS256, RS256, or ES256 instantly. 100% in-browser — your secret and key never leave your device.
Free JWT Secret Generator — HS256/384/512
Security Tools
Generate a strong, RFC-correct JWT secret for HS256/384/512 — 100% in your browser, never sent to a server. base64url, base64 or hex; copy for .env.
MD5 Hash Generator & File Checksum Tool
Security Tools
Generate MD5, SHA-256, SHA-1 & SHA-512 hashes online for free. Hash text or files in your browser, verify checksums and copy results. No signup needed.
Random Password Generator — Customizable, Strong & Secure
Security Tools
Generate strong random passwords instantly — free, 100% in your browser. Customize length & characters, batch up to 50 with entropy analysis.